Analysis and opinion by Christopher Soghoian, security and privacy researcher.

Wednesday, August 08, 2012

Responding to Wired's ad hominem hatchet job

I have long been a fan of Wired's coverage of privacy and security issues, particularly the insightful reporting and analysis by Ryan Singel, currently the editor of the Threat Level blog. It is for that reason that I am saddened to see Ryan stoop to twisting my words in support of a lengthy character assassination piece targeted against me.

Brief background

Two weeks ago, Wired published a glowing, 2000 word story by Quinn Norton about CryptoCat, an encrypted chat tool. Quinn was not the first journalist to shower praise upon Cryptocat -- writers at the New York Times and Forbes had previously done so too.

I subsequently published a lengthy blog post, which compared the media's coverage of Cryptocat, a relatively new, unproven security tool, to the media's previous fawning coverage of Haystack, a tool which, once analyzed by experts, was revealed to be pure snakeoil.

The message in my blog post -- that journalists risk exposing their readers to harm when they hype unproven security technologies -- was directed at the media as a whole. In support of my argument, I cited glowing praise for such technologies printed in the Guardian, the New York Times, Newsweek, Forbes and, Wired.

Today, Ryan Singel, the editor at Wired's Threat Level blog responded to my blog post, but incorrectly frames my criticism as if it were solely directed at Quinn Norton and her coverage of Cryptocat. In doing so, Ryan inaccurately paints me as a sexist, security-community insider who is unfairly criticizing a tool "created by an outsider to the clubby crypto community and one that’s written up by a woman and reviewed by a female security expert."

The importance of dissenting technical experts

One of the biggest criticisms of Norton's story I expressed in my blog post of was the fact that she did not quote a single technical expert that was critical of Cryptocat, even though there are quite a few who have been vocal with their concerns:

Other than Kobeissi, Norton's only other identified sources in the story are Meredith Patterson, a security researcher that was previously critical of Cryptocat who is quoted saying "although [Cryptocat] got off to a bumpy start, he’s risen to the occasion admirably" and an unnamed active member of Anonymous, who is quoted saying "if it's a hurry and someone needs something quickly, [use] Cryptocat."

As I also noted in my post:

Even though their voices were not heard in the Wired profile, several prominent experts in the security community have criticized the web-based version of Cryptocat. These critics include Thomas Ptacek, Zooko Wilcox-O'Hearn, Moxie Marlinspike and Jake Appelbaum.

Singel frames my criticism here as sexist. Meredith Patterson is a woman, whereas the Cryptocat critics I named were all men. Singel claims that, "Patterson, one of the all-too few female security researchers, doesn’t seem to count for much in Soghoian’s analysis." He adds later, "instead, Soghoian believes, Norton should have turned to one of four more vocal critics he names — all of them men."

As an initial matter, let me say that I have genuine respect for Meredith and her skills as a security researcher. We've known each other for several years, have attended several privacy conferences together, and have a shared goal in keeping the communications of users out of the prying hands of the government. Nowhere in my prior blog post do I dismiss Patterson's skills, credentials, or technical opinions.

My criticism of Norton's piece, in this respect, is not about the specific technical expert who is quoted as saying positive things about Cryptocat, but rather, the total lack of any dissenting quotes. If the rest of the security community were agnostic about the merits of Cryptocat, then it would perhaps be fine to quote a single technical expert who has positive things to say. In this case though, there are several technical experts who have deep concerns about the security of Cryptocat, experts whose research and views Wired has covered at length in the past.

As Singel has described it, I would have liked Norton to talk to a more more qualified expert, and to not print Patterson's opinions. That is not the case. I just think that a dissenting expert should be quoted too.

To summarize, the gender of the technical expert quoted saying positive things about Cryptocat has absolutely nothing at all to do with my belief that a responsible journalist would have spoken to, and quoted at least one technical expert who is critical of the tool. Even more so when the headline of the story is "This Cute Chat Site Could Save Your Life and Help Overthrow Your Government."

After I published my blog post, Singel criticized me for quoting Norton's tweets, claiming that I was using "an outsider's critique of your boys club as a way to discredit them."

Although Singel clearly disagrees, I felt, and still feel that it is relevant to highlight the fact that Norton believes that the crypto community, and in particular, the critics of Cryptocat, are just privileged, paranoid geeks who have no real problems.

As I mentioned in my blog post, two of the most vocal critics of Cryptocat's web based chat app, Jake Appelbaum and Moxie Marlinspike, have faced pretty extreme real world problems of surveillance and government harassment.

After Appelbaum was outed by the press as as being associated with WikiLeaks, Twitter, Google and Sonic.net were forced to provide his communication records to the FBI as part of its investigation into WikiLeaks. At least one of Appelbaum's friends and colleagues has been forced to testify at a federal grand jury, and he has been repeatedly stopped at the border, harassed, and had digital devices seized by the authorities.

Likewise, for some time, Marlinspike was routinely stopped at the border by US authorities, had his laptop and phones searched, and in at least one case, was questioned by a US embassy official, who had a photo of Marlinspike at hand, before he could get on a plane back to the US.

While Appelbaum and Marlinspike have (thankfully) not been physically tortured by government agents, their paranoia and dedication towards improving the state of Internet security is by no means theoretical. Their concerns are legitimate, and their paranoia is justified.

Although human interest stories sell papers and lead to page clicks, the media needs to take some responsibility for its ignorant hyping of new security tools and services. When a PR person retained by a new hot security startup pitches you, consider approaching an independent security researcher or two for their thoughts. Even if it sounds great, please refrain from showering the tool with unqualified praise.

By all means, feel free to continue hyping the latest social-photo-geo-camera-dating app, but before you tell your readers that a new security tool will lead to the next Arab Spring or prevent the NSA from reading peoples' emails, step back, take a deep breath, and pull the power cord from your computer.

Singel states that the main point of my post "seemed to be to tell a woman to shut up and unplug from the net." He further twists my words by writing:

Moreover, Soghoian suggesting that if Quinn Norton ever wanted to write about about encryption tools in the future, she ought to "step back, take a deep breath, and pull the power cord from your computer" isn't just rude and obnoxious, it’s border-line sexist and an outright abuse of Soghoian's place in the computer security world."

The harsh words in my conclusion, which Singel quotes, were aimed at "the media." This of course includes Wired, but also many other journalists and news organizations who regularly publish stories on the latest new snake-oil product that uses "military-grade encryption."

In fact, the words "ignorant hyping" in the blog post's conclusion link to a recent New York Times article about Wickr, a new mobile app that the Times reveals will let "users transmit texts, photos and videos through secure and anonymous means previously reserved for the likes of the military and intelligence operatives."

(This is, of course, rubbish. There are no anonymity technologies that have been "reserved for the likes of the military and intelligence operatives.")

Finally, in support of his charge that I am sexist, Singel twists my words by stating that "Soghoian suggest[s] that if Quinn Norton ever wanted to write about about encryption tools in the future, she ought to 'step back, take a deep breath, and pull the power cord from your computer.'"

Let me be clear: Nowhere in my blog post do I tell Quinn that she should never again write about encryption tools. Instead, I warn journalists who are planning to write that "that a new security tool will lead to the next Arab Spring or prevent the NSA from reading peoples' emails." That is very different than "ever writing about encryption tools in the future."

Of course I want journalists to write about encryption, privacy, security and the importance of protecting data. I want users to be safe, and one of the best ways for them to discover and then adopt safe practices is by reading about them in the media.

(Strangely enough, Wired's chilling coverage this week of the devastating hack against Mike Mat Honan has been absolutely fantastic, offering a clear demonstration of how difficult it is for users to protect their data even when using tools and services created by billion dollar corporations.)

What I wish to avoid though, is news stories that hype technologies that simply cannot, and will not deliver what has been promised to users. By all means, please tell users about two-factor authentication, encrypted cloud backups with keys not known to providers, and VPN services. Just don't claim that these technologies will plunge the NSA into darkness or lead to the overthrow of authoritarian governments.

I do not hate female journalists

As an activist that uses media coverage to pressure companies to change their privacy invading practices, I regularly work with journalists around the world, feeding them stories, tips, and when they want them, quotes. In the more than six years that I have been working with the media (including Wired on countless occasions), never once has the gender of the reporter played any role in whether or not I went to them with a scoop, or returned their phone calls or emails.

The media are of course not equal in their understanding of technology or their willingness to dig deep into a tech issue. In my experience, gender plays absolutely no role in determining the quality of a tech journalist.

For example, of the entire news media, the What They Know team at the Wall Street Journal (Julia Angwin and Jennifer Valentino-DeVries) are by far the best in the business when it comes to covering privacy and security. They break major stories, do great investigative research, and routinely seek the confirmation of multiple technical experts in order to verify claims before they print them. On this beat, their coverage is first rate, and quite frankly, puts the New York Times, the Washington Post, Wired, Ars and others to shame. It is not surprising then, that when a great scoop lands in my lap, I take it to the WSJ first.

I judge, praise and criticize journalists on the tech beat based on the quality of their reporting, not by their gender. In this case, I criticized Quinn Norton's Wired story because it was deeply flawed, not because she is a woman. To claim otherwise is pure bullshit.

26 comments:

It's not like you deleted the gushing articles off the Internet-- all you did was criticize their lack of hard analysis. Is a successful algorithm going to fail because someone discusses its technical merit rather than a human interest element? Is a bad algorithm only bad because a man said so? Wired is coming dangerously close to saying that math itself is sexist.

Hi Chris, I agree with much of what you have to say in this post, and how this thread got started.

However it would be in your interest to acknowledge that patriarchy does exist, that gender is always an issue, and more needs to be done to empower women journalists and women security researchers.

Americans tend to deride programs like Affirmative Action, yet there is no such thing as a level playing field. There are real biases at play, in our culture, and in our economy, that put women a few steps behind where men start from.

You did nothing wrong or sexist in your original post. Yet you are vulnerable to the argument that you're not doing enough. That you're not conscious enough of gender dynamics, so while having no malice, your words could easily be misunderstood by others as having a gender bias to them.

This isn't a critique, more a word of advice. Gender does matter, and to pretend that it does not will only lead you to reinforce existing biases, such as thinking first of male security researchers before female.

Are there more male security researchers than female? If so, take that on as a challenge, and mentor some female researchers and help them reach the top-tier of gurus.

-SincerelyA Canadian Friend

p.s. It took me a dozen tries to beat the captcha. I'm not a robot, but you'd have to be a robot to read that stuff.

As a female privacy professional who has known you for years, I can say that I was surprised and saddened by these attacks on your character. I did not read your post as sexist. Sexism certainly still exists, but I have never once experienced anything close to sexism from you or witnessed it. Bullshit indeed.

This was a very cogent analysis of the unfortunate situation. I found myself respecting the author and his persuasive analysis. How sad then that your summation falls so short by the inclusion of an unnecessary expletive.

Thank the good Lord that the crypto community is filled with “mostly rich [first] world white boys [with] no real problems who don’t realize they only build tools [for] themselves.” It means, Miss Norton, that the applications will actually work as advertised…

I think this response is mostly fair, but I think you have missed Quinn Norton's point, and continue to do so by citing Applebaum and Marlinspike as counterexamples.

What Norton has been saying all along is that there is a large group of people who have a genuine need for online anonymity, often linked to genuine threats to their personal safety, but who do not need protection against adversaries with the resources of a nation-state. Many of them only need to protect themselves from one person, who is likely to have somewhat more resources than they do, but is in the end still just one person. Further, some (possibly large) subset of that group cannot make use of software that has to be installed, either because the only computers they have the use of are in public libraries or similar, or because the act of installing anonymity software on the computer they have the use of would reveal them to their particular adversary.

The existing anonymity software that meets the approval of "the crypto community" is first-order useless to this population. Critically, in part this is because "the crypto community" has, to date, been laser-focused on the threat model in which the adversary is a nation-state. CryptoCat by contrast was at least trying to cater to users with this rather different threat model.

Your intentions may be pure, but prejudice goes the other way as well. By saying things like, "gender is always an issue," "there is no such thing as a level playing field," you reveal your own biases. Believe it or not, sexist males are actually a small (if sometimes loud and obnoxious) minority.

I have always disagreed with the "fight fire with fire" method of dealing with sexism, racism, and so on. The best way to deal with bias is to acknowledge and deal with it where it exists. Not to presume that every white male is biased against women and then introduce an deliberate bias toward women in an effort to balance things out.

And before someone labels me a supporter of the status quo, let me tell you this: I have a three-year-old daughter. As she grows up, I'm not going to tell her that she should grow up to be an engineer because there aren't enough women in the field. I'm going to tell her that she should grow up to be whatever she wants to be //including// an engineer, and that she shouldn't be dissuaded from going into an exciting field just because there aren't many women in it.

Additionally, my two favorite people in the Maker movement are both women: Jeri Ellsworth and Limor Fried. I want to see more women in technology and engineering, I really do. I just don't think that the best answer to a boys club is to create a girls club alongside it.

It's precisely for reasons such as this that I unsubscribed from Wired's monthly publication -- I had a personal problem with giving any financial support to a presumed technology magazine that carried such overtly political undertones. There were times when they seemed to be cleaning up their act; but for every such instance, there were too many more that seemed to point in the opposite direction. Too bad, really. Perhaps eventually, enough time spent in the financial hurt locker will clear their heads.

Kobeissi himself said: "I hope that one day it'll be secure enough to allow even people in dangerous situations to communicate safely. We're not there yet because we need more research, but I want to provide an easy to use venue for secure communication for absolutely everyone."

This poor guy is getting trolled with over the top feminist rhetoric, and I suspect he's actually dignifying it with a response because he's still attached to the academy. These statements about gender, "what, it's because I have a vagina, isn't it?" are worth ignoring.

"This isn't a critique, more a word of advice. Gender does matter, and to pretend that it does not will only lead you to reinforce existing biases, such as thinking first of male security researchers before female."

Seek out the person most qualified to answer the question. If you constantly remind yourself to think of gender as you suggest, gender DOES become an issue, because you are forcing it.

"Are there more male security researchers than female? If so, take that on as a challenge, and mentor some female researchers and help them reach the top-tier of gurus."

Why, its not his job to recruit females into the industry. Affirmative action like this doesn't help the situation, it just totally reverses it. Now I have to think of a woman because people think of them less often because their are less of them in this field, so now I go and reverse the situation, thinking of them far more often than I should, intentionally favoring them so I don't get viewed as sexist, except I am being sexist now, towards men.

Your entire comment was pretty ridiculous and I don't care if you are male or female.

"After Appelbaum was outed by the press as as being associated with WikiLeaks..."

I don't like the MSM either, but in all fairness, Appelbaum represented Wikileaks in place of Julian Assange at HOPE 2010 (Hackers On Planet Earth, a security conference). The press didn't have to "out" anyone.

Christopher Soghoian, Ph.D. is a Washington, DC based privacy and security researcher. He is the Principal Technologist in the Speech, Privacy and Technology Project at the American Civil Liberties Union.